[gst-cvs] gst-plugins-good: flvmux: fix invalid write caused by using sizeof("string" ) as length
Tim Mueller
tpm at kemper.freedesktop.org
Sat Aug 1 04:23:49 PDT 2009
Module: gst-plugins-good
Branch: master
Commit: 93690bfdd65247709247d8d6e32f07111320ca14
URL: http://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=93690bfdd65247709247d8d6e32f07111320ca14
Author: Tim-Philipp Müller <tim.muller at collabora.co.uk>
Date: Fri Jul 31 20:25:17 2009 +0100
flvmux: fix invalid write caused by using sizeof("string") as length
sizeof("foo") includes the string's NUL-terminator in the size returned,
but we're writing strings here with an explicit size at the beginning
and no NUL-terminator. In most cases using sizeof("foo") as length in
memcpy is not harmful, but it is where the string goes right at the
end of our buffer to write, since we don't allocate space for that
NUL terminator.
---
gst/flv/gstflvmux.c | 16 ++++++++--------
1 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/gst/flv/gstflvmux.c b/gst/flv/gstflvmux.c
index 2b5cacc..ab385f0 100644
--- a/gst/flv/gstflvmux.c
+++ b/gst/flv/gstflvmux.c
@@ -600,8 +600,8 @@ gst_flv_mux_write_metadata (GstFlvMux * mux)
data = GST_BUFFER_DATA (tmp);
data[0] = 2; /* string */
data[1] = 0;
- data[2] = 0x0a; /* length 10 */
- memcpy (&data[3], "onMetaData", sizeof ("onMetaData"));
+ data[2] = 10; /* length 10 */
+ memcpy (&data[3], "onMetaData", 10);
script_tag = gst_buffer_join (script_tag, tmp);
@@ -682,7 +682,7 @@ gst_flv_mux_write_metadata (GstFlvMux * mux)
data = GST_BUFFER_DATA (tmp);
data[0] = 0; /* 8 bytes name */
data[1] = 8;
- memcpy (&data[2], "duration", sizeof ("duration"));
+ memcpy (&data[2], "duration", 8);
data[10] = 0; /* double */
GST_WRITE_DOUBLE_BE (data + 11, d);
script_tag = gst_buffer_join (script_tag, tmp);
@@ -713,7 +713,7 @@ gst_flv_mux_write_metadata (GstFlvMux * mux)
data = GST_BUFFER_DATA (tmp);
data[0] = 0; /* 12 bytes name */
data[1] = 12;
- memcpy (&data[2], "AspectRatioX", sizeof ("AspectRatioX"));
+ memcpy (&data[2], "AspectRatioX", 12);
data[14] = 0; /* double */
GST_WRITE_DOUBLE_BE (data + 15, d);
script_tag = gst_buffer_join (script_tag, tmp);
@@ -724,7 +724,7 @@ gst_flv_mux_write_metadata (GstFlvMux * mux)
data = GST_BUFFER_DATA (tmp);
data[0] = 0; /* 12 bytes name */
data[1] = 12;
- memcpy (&data[2], "AspectRatioY", sizeof ("AspectRatioY"));
+ memcpy (&data[2], "AspectRatioY", 12);
data[14] = 0; /* double */
GST_WRITE_DOUBLE_BE (data + 15, d);
script_tag = gst_buffer_join (script_tag, tmp);
@@ -740,7 +740,7 @@ gst_flv_mux_write_metadata (GstFlvMux * mux)
data = GST_BUFFER_DATA (tmp);
data[0] = 0; /* 15 bytes name */
data[1] = 15;
- memcpy (&data[2], "metadatacreator", sizeof ("metadatacreator"));
+ memcpy (&data[2], "metadatacreator", 15);
data[17] = 2; /* string */
data[18] = (strlen (s) >> 8) & 0xff;
data[19] = (strlen (s)) & 0xff;
@@ -775,7 +775,7 @@ gst_flv_mux_write_metadata (GstFlvMux * mux)
data = GST_BUFFER_DATA (tmp);
data[0] = 0; /* 12 bytes name */
data[1] = 12;
- memcpy (&data[2], "creationdate", sizeof ("creationdate"));
+ memcpy (&data[2], "creationdate", 12);
data[14] = 2; /* string */
data[15] = (strlen (s) >> 8) & 0xff;
data[16] = (strlen (s)) & 0xff;
@@ -1019,7 +1019,7 @@ gst_flv_mux_write_index (GstFlvMux * mux)
data[0] = 2; /* string */
data[1] = 0;
data[2] = 0x0a; /* length 10 */
- memcpy (&data[3], "onMetaData", sizeof ("onMetaData"));
+ memcpy (&data[3], "onMetaData", 10);
script_tag = gst_buffer_join (script_tag, tmp);
More information about the Gstreamer-commits
mailing list